I have updated the blog post in https://github.com/apache/pulsar/pull/13274/files
*If upgrading is not an option, you may also mitigate by adding `-Dlog4j2.formatMsgNoLookups=true` to the `PUSLAR_EXTRA_OPTS` in the `configData` section for proxy, broker, bookkeeper, zookeeper, auto-recovery, and relative components in the helm values file.* On Mon, Dec 13, 2021 at 11:38 AM Dave Fisher <w...@apache.org> wrote: > Please see the blog post @ https://pulsar.apache.org/blog/ > > December 11, 2021 > > Matteo Merli > <> > Yesterday, a new serious vulnerability was reported regarding Log4j that > can allow remote execution for attackers. > > The vulnerability issue is described and tracked under CVE-2021-44228 < > https://nvd.nist.gov/vuln/detail/CVE-2021-44228>. > > Current releases of Apache Pulsar are bundling Log4j2 versions that are > affected by this vulnerability. We strongly recommend to follow the > advisory of the Apache Log4j community and patch your systems as soon as > possible. > > There are 2 workarounds to patch a Pulsar deployments. You can set either > of: > > Java property: -Dlog4j2.formatMsgNoLookups=true > Environment variable: LOG4J_FORMAT_MSG_NO_LOOKUPS=true > Both approaches are effective in mitigating the vulnerability for Pulsar > services. > > Additionally, when running Pulsar Functions with Kubernetes runtime, you > should update your Docker images, following the example described here < > https://github.com/lhotari/pulsar-docker-images-patch-CVE-2021-44228>. > > If you are using the Pulsar Helm Chart for deploying in Kubernetes, a new > version of the chart < > https://github.com/apache/pulsar-helm-chart/releases/tag/pulsar-2.7.6> is > already available and it applies the above mentioned workaround. > > We are already preparing new patch releases, 2.7.4, 2.8.2 and 2.9.1. These > releases will be ready in the next few days and will bundle the Log4j2 > 2.15.0, which contains the vulnerability fix.
